RE: MODIFY-01 cluster: 25 CERT candidates moved to MODIFICATION phase

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I tend to agree with Andre on this one....we enter the vulnerability
and then link it to the affected components (OS, application,service
etc.)as well as appropriate safeguards, workarounds for each
component. This allows us to link multiple affected components to a
single vulnerability description and references. But the CVE is not
set up this way.
Not sure how to answer this, but it would seem IMHO that you either
list all affected applications in one description (defeats the short,
concise description) or multiple CVE entries and cross-reference them
to show they are affected by the same vulnerability (adds considerable
entries to the CVE database). I would rather see a single entry with
multiple affected applications.
- -Mike Prosser
- -----Original Message-----
From: Andre Frech (ISS) [mailto:afrech@iss.net]
Sent: Wednesday, June 23, 1999 7:32 PM
To: Steven M. Christey; cve-review@linus.mitre.org
Subject: RE: MODIFY-01 cluster: 25 CERT candidates moved to
MODIFICATION
phase
Good point; we went through the same contortions and evolution with
this
vulnerability.
First of all, I don't believe it to be a LOA problem (even if I don't
really
believe in voodoo). Therefore, we could go two ways on this type of
issue:
either enumerate all the mailers and risk missing one (which IMHO is a
function of a vulnerability database (VDB), not the CVE) or use a
general
term, such as 'some MIME-compliant mailers..."
If we choose to enumerate, then it'll cascade into 'not listing all
OSes,
versions, etc.', which again degrades into a VDB's job (no offense to
those
who own VDBs).
As background, originally we heard about this vuln affecting Outlook,
and
then it was broadened to all MIME-compliant mail programs. (Thus why
our
term is a bit misleading; once defined, an X-Force tagname is set in
stone,
or at least in wet concrete on a summer day.)
Good point, Adam and Steve.
=====================================
Andre Frech
X-Force Security Research
afrech@iss.net
Internet Security Systems, Inc.
678.443.6241 / fax 678.443.6479
www.iss.net
Adaptive Network Security for the Enterprise
=====================================
> -----Original Message-----
> From: Steven M. Christey [mailto:coley@linus.mitre.org]
> Sent: Wednesday, June 23, 1999 1:40 PM
> To: cve-review@linus.mitre.org
> Subject: Re: MODIFY-01 cluster: 25 CERT candidates moved to
MODIFICATION
> phase
>
>
>
> Adam Shostack asked me the following question, which touches on a
> potentially delicate issue that nonetheless should be addressed
sooner
> rather than later. Quiet people may want to pipe up on this one ;-)
>
> | Candidate: CAN-1999-0004
> | Published:
> | Final-Decision:
> | Interim-Decision:
> | Modified: 19990621-01
> | Announced: 19990607
> | Assigned: 19990607
> | Category: SF
> | Reference: CERT:CA-98.10.mime_buffer_overflows
> | Reference: XF:outlook-long-name
> | Reference: SUN:00175
> |
> | MIME buffer overflow in email clients, e.g. Solaris mailtool
> | and Outlook.
> |
> | Modifications:
> | ADDREF MS:MS98-008
> | DESC include Outlook
> |
>
> >It occurs to me that there may be a [level of abstraction] issue
> >here. Why are we grouping all mailtools into one entry? If we
choose
> >to do this, we need to add at least Eudora as well. Its fairly
clear
> >to me that these are distinct.
>
> I see how you think this could be an LOA (level of abstraction)
issue.
> There are multiple applications affected.
>
> >From my perspective, we shouldn't divide this into separate
> vulnerabilities because:
> - the same "exploit" would work on any of these applications
> (modulo the OS the application is on)
> - the bug occurs in multiple applications, but these applications
> all do the same thing (i.e. process email)
> - the bug is in the same functional component/specific "operation"
> of the applications, i.e. the MIME conversion
> - the bug has been discovered in each application at (basically)
> the same time
>
> To me, this is the same implementation flaw, spread across different
> implementations of the same type of application, so this is the
> appropriate LOA to use. (Er, I suppose I could have written that
> better). Do people agree with this perspective?
>
> Note that the description singles out mailtool and Outlook, ignoring
> the other applications that are affected. Assuming we agree on the
> LOA, should the description be modified to list all affected
clients?
>
> - Steve
>
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2
iQA/AwUBN3jNcBIUaHPadf5hEQL0JQCg6gJMQsVFXf3rnGadGHDqVpvwA1YAoJ83
lI93EwEx3sawm+j873i4DkOZ
=trvt
-----END PGP SIGNATURE-----